Sense of Awarenesshttp://www.senseofawareness.com
The Art of Sensing YourselfWed, 22 Nov 2017 09:30:07 +0000en-UShourly1https://wordpress.org/?v=4.9.1Uber and Under the Breachhttp://www.senseofawareness.com/?p=1739
http://www.senseofawareness.com/?p=1739#respondWed, 22 Nov 2017 03:49:52 +0000http://www.senseofawareness.com/?p=1739Everything you need to know about the Uber data breach, and much more. If you work in information security or privacy, you should read this…

Sleep

Darn, I really wanted to sleep, I really did! I had to work on something till late tonight, already got total upset by 4pm, and when I finally ended it near midnight, I checked twitter and darn, Uber been hacked. “What the heck, they fired Joe Sallivat, their head of Information security and Craig Clark, (the?) director of legal? Wow, I must write about it”. Luckily tomorrow I need to wake up early then usual. Darn lucky.

But this is important.

Flashback – I think it’s 2013. I’m speaking with Alex Hutton during a BruCON break. At some point Alex tells me something, that for some reason got engraved in my mind forever: “If you’re will not know how to measure risk and communicate it to the board you will not be CISO for long.”

Darn right.

So here is what we know, according to Bloomberg:

What happened:

Hackers stole the personal data of 57 million customers and drivers. Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders. Plus, information of 7 million drivers, including some 600,000 U.S. driver’s license numbers. Uber paid $100K to get the data erased.

How it happened:

Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Uber? No way!

This data breach is NOT Equifax redux. Uber is a totally different bread of a company. it’s a market breaker, it’s cutting edge in technology, it’s DevOps, it’s containers technology and microservices, it’s cloud and buckets, it’s all the things that most senior management in most companies consider as “buzz words”, because they don’t understand anything about it. These are not buzzwords. These are technologies that can kill organisations, might make board members lose their jobs, and almost certain cause senior infosec and privacy people to lose their jobs, and not only senior.

The CISO

The CSO, Joe Sullivan, worked previously at PayPal, eBay, was head of security for Facebook, and surprise, surprise – he knows a lot of red team tricks, which he used throughout his stay in Uber. All the privacy violation programs Uber were running, been “spearheaded” by Joe. Uber was very aggressive in its offensive infosec ops. Obviously that focus ignored defensive security, which led to the data breach.

The Board

Obviously Joe didn’t pay 100K from his own pockets, as the article clearly states “Uber paid”. The article states that Joe Sullivan spearheaded the response to the hack last year. As an ex CISO (bank), if this is not a subject of discussion for a company board, I don’t know what a subject of discussion for a company board should look like. No way this was not under the board discussion, it must have been the CEO, and CIO (CTO), and Legal, and finance, and operations. If not, Uber have a horrible management organisation, with no real governance in place. Which they obviously had till recently. As a reminder, just two months ago Uber agreed to 20 years of privacy audits to settle FTC charges.

Data Privacy

Which brings us to data privacy. The article states “Uber riders around the world”. Let me guess, if I will say “Voulez-vous coucher avec moi?” there is a good chance there some of the people who were impacted by this hack as “riders” will be from a certain European country. Does this mean multiple notification to multi countries?

Lessons & questions to take home

Heads first: First of all, it’s a reminder. It’s a reminder that what Alex Hutton said to me a few years ago is true to all of us who work and/or manage information security or data privacy. It’s a sharp reminder that our heads can find themselves in a guillotine basket if, sorry, when a breach occurs.

Survival is Defensive: see my previous post, and scroll down to see the video of Jordan Peterson. Nature survival is based on defensive of the known and moving along the unknown path of life. This is why we are wired to react when we see a snake, not when our prefrontal cortex has finished processing to decide if it’s a snake or a wooden stick. Life is an art of staying where you should, not over protective, and not over offensive.

Smart can be your Achilles’ heel: Joe Sallivat seems to be good in what he does, the dude was on a NIST commission on enhancing national cybersecurity, advising to the president! Based on what I had the chance to look at, the guy is most likely smarter than most of the people who will read this post, and for certain smarter than the person who is writing this post. If this guy would have invested more in defensive rather than aggressive red team he might be able to prevent this stupid data leakage from occurring. Smart does not mean wise. Which brings me to the next point…

Risk: I don’t know if Joe know about Quant Risk, I guess he must know it. Most of the really smart people I meet knows about Quantitative risk management, such as FAIR. FAIR is the future right now – the big four are looking into it, RSA is working with RiskLens on it, so if you don’t do quant risk, it’s time to wake up and smell the auditors. If you need to measure cyber risk, please start to plan decommissioning risk heat maps. They are useless in measuring cyber risks.

DevOps: I hear some of you think out loud “I told you, DevOps means no security”. Not true, but also true. How did the two got access to the private GitHub repository? If they had security in place this would not have happened, but when speed is more important than anything else, and security is busy on offensive, the back is left vulnerable.

GDPR: Can any of us imagine how a data breach as such relating to EU citizens will look like in 2019? Well, I actually can, but this will be the topic for a totally other article, it’s already too late.

Awareness: oh, so much to write here, but will keep it to a new … talk perhaps

Never underestimate

Uber is a very unique company. It decided to play as if regulations and laws don’t apply on them, and they were the best and the worst in many ways. It has a huge customer base, and a huge of explaining to do. Some rules and regulations are important. I don’t want to live in a dystopian reality where people work as slaves but are being called “independent drivers”. If there is a valid business model that is not violating the ethical and moral codes of our society I will be happy to support it. If not, unless it changes, I will stop using it. Never underestimate the determination of a tired information security professional…

]]>http://www.senseofawareness.com/?feed=rss2&p=17390#CyberBlindhttp://www.senseofawareness.com/?p=1731
http://www.senseofawareness.com/?p=1731#respondThu, 02 Nov 2017 16:53:00 +0000http://www.senseofawareness.com/?p=1731Ridiculous information security salaries are the symptom of a bigger problem. Why salaries and job ads are superb indicators to your organisation cyber security maturity, how it can be improved, and why your organisation won’t do anything to fix it.

By Eh’den Biber

October been an extremely hectic month for me. It’s been a while since I travelled and worked in so many countries, that at some point I slept in 5 different places during one week. Amazing and exhausting at the same time, see post photo which was taken along the way.

When I came back, I decided to see if I can identify any shift in the job market, to see if I can make my wife happier by finding a role which doesn’t requires me to travel so much. Sadly, the results are grim.

Over the years I’ve developed a sort of a mentalist skill, and after 5 minutes into the job interview I could already tell the interviewer things I shouldn’t have known, such as the fact they recently experienced a severe breach, auditors’ blues, or simply someone just left in a hurry.

This brings us to the question – why? How come the responsibility and accountability of a person who takes such a role is not being rewarded in the right manner?

HR

HR in most cases have no clue about the role they asked to recruit for, and yet they are supposed to filter for the hiring manager. They then subcontract the hiring to a group of agencies, some of which have no clue what they are hiring. I’ve been asked recently by a recruitment agency manager “What is a CISO?”. Enough said.

Take home message to hiring manager: Speak with the recruitment agencies, ask for recent references, meet them, or use the ones you trust.

Job Description

What is your role? What are you supposed to do (objectives)? What are the current KPIs you need to maintain or contribute to? These are basic elements that needs to be part of a job description, yet companies sometimes have such unclear job description which makes you wonder how they could have any metrics for success. Others have a role description that makes you wonder how many FTEs are expected to perform all the tasks mentioned in the ad, only to realise that there will be one FTE and that is going to be you, if you will want to join the madhouse. Once I received a job description that spread over four condensed pages, and when I asked if they identified what are the short-medium-long term priorities I’ve been told that all of the tasks are high priorities, and all are required to be done by me.

Last but not least – most of the managerial roles don’t mention the budget you are in charge of, and when you ask what is it (I did) you don’t get an answer. How can you estimate if you’re going to be able to fulfil your role if you don’t know how much budget you got?

Take home message to hiring manager: Specify a role that include in it things like role purpose, financial responsibility (at least to be shared at final stage of interview), direct reports, role objectives, KPIs needs to contribute and deliver, qualification, skills/knowledge, experience etc.

Role Objectives

I’ve mentioned role objectives in the previous one, but we must speak about this because it is where the shit hit the fan in many cases. If you are hiring someone and you want to him to succeed, the role objectives should be related to the organizational objectives. However, even when that occurs (rarely), in most cases it’s a pseudo relation, because in most organisations employees’ performance measurement is a joke. Most of my career I’ve been asked to provide my yearly objectives before I received my manager objectives, and that’s because he didn’t receive it from his manager. If your manager performance is not measured correctly, how any measurement of you will mean anything? And if you want to hire a person, how can you hire the right person if you don’t know how to measure him?

Take home message to hiring manager: If you don’t have the ability to map the role objectives of the person you wish to hire into your objectives and the org objectives, perhaps you should work on it before hiring anyone.

Infantile Risk Maturity

This leads us to a much bigger issue, which I can summarize in ten simple words:

Organizations do not know how to measure cyber security risks.

Let me break it down to you:

Organizations

Do not know

How to measure

Cyber security risks

Here’s an example – remember the role objectives? If your organization can’t associate the risk reduction that is related with specific role objectives, or god forbids quantify it, how can it really know that the salary which is supposed to be paid to that person is correct?

There is a systemic, cross industry lack of understanding on how to perform risk analysis. It’s also size agnostic – Last year I spoke with a person holding a very high role in an undisclosed large bank. He admitted to me that his bank realised they don’t have the right tools to measure cyber risk in a workshop they did in 2015. Mind you, this occurred in a huge bank, while most organisations didn’t even reach that “A-Ha” moment (Thank you Oprah).

When people don’t know how to measure risk, you can’t be surprised they come up with silly salaries for such risk mitigating focused roles. If you don’t even know how much risk you have, how do you know that the salary that you offer is appropriate?

Take home message to hiring manager: If you can’t quantify the risk reduction that will be associated with the role you wish to fill, don’t be surprised this “finger in the air” measurement method will attract the wrong types of people, and that the salary you offer is too low. Ah, and don’t trust the market average, the same way you don’t trust the advice of a ship full of fools, or ask for direction from a group of blind people.

Auditors

Most organisations have 3 lines of defence – operation, risk, and audit. Your auditors are supposed to provide assurance to the management of the company that it functions as they wish it to be. When it comes to information security, ISACA is the de-facto authority of certifying auditors, and they don’t do their job correctly when it comes to risk measurement, a critical element in the security posture of an organisation. ISACA allows certified auditors to accept point estimates (AKA risk heat maps) as a valid risk measurement. Most of the current risk methodologies are not-fit-for-purpose and should have been long decommissioned, yet here we are, in 2017, and still risk people are allowed to use them.

We (in general) have a systemic bad practice of risk management even though there are alternatives. Jack Jones FAIR (Factor Analysis of Information Risk) was Founded in 2005. It’s been an open standard for years now, yet you see risk heat maps everywhere, rather than probability distributions.

I have many friends who are part of ISACA, I’ve even been a director once. So how come ISACA don’t use its power to push for a change? To understand that, I invite you to see the following video that explains it all. It is called “human motivation and Zebra Camouflage”

In short – people are driven by fear of being anxious or in pain, avoid suffering, NOT by the drive to be happy. Change can lead to suffering, hence, people will do anything to “keep what we have” if the new is unknown, and since we been using the same outdated methods for so long people stick to them, and refuse to involve until they are being hit.

Take home message to hiring manager: If you want to see a real change in your cyber recruitment, you must work with stakeholders to change the risk methodology of the organisation, and you should have of sessions with the auditors to see if that is possible. If you see you can’t change the risk methodology, embrace yourself for a breach which you will be blamed at.

Introduction

A few years ago, I had a colleague that was about to depart on a flight to a lovely vacation with his wife. As the airplane was waiting for the signal to lift off, my colleague wife started to scream. I mean REALLY scream. As my colleague wife had taken many flight before, my colleague had no idea what the fuck is going on (forgive my French). Long story short – airplane went back to the terminal, my colleague and his wife were being taken off the airplane, severe sedatives were used, and instead of a lovely vacation my colleague spent the next few days in a mental institute seeing his loved one going via hell. This whole thing followed a long recovery process, and almost broke him to pieces as well.

That is how “unknown unknown” feels like when it explodes in your face. You can’t quantify it, you experience it, but you don’t understand it, and it devour you to pieces, into a hell you didn’t even knew exists. Panic attack are so scary because you don’t what you’re hitting. Imagine Usain Bolt running his phenomenon 100-meter dash and just as he is about to cross the finish line he smashes into an invisible wall. Jordan Peterson explains that encountering the unknown is at the root of all PTSD, and can break people, even lead them to kill themselves.

And this is, my friends, is how GDPR is going to feel like to most organisations.

GDPR

The GDPR became a buzz word by consultancy firms (e.g. big 4) who loved the way it allows them to sell more services. It was a heaven to vendors, who suddenly re-labelled their products with annoying ads such as “Our refrigerator is GDPR compliant and can handle all your deep data needs” (meaning – they have a freezer they want to sell you). It’s been abused by anyone, most likely by me as well. Right now, the information industry is in the midst of a turret attack with the words “GDPR” and “privacy” substituting the foul language used by some people who have the syndrome.

“But isn’t raising awareness is good?” you might ask yourself. After all, organisations must prepare for the GDPR who will become a law in 2018.

Well, yes and now. The biggest problem is that what most of the current activities I’ve seen so far are doing is creating a risk most organisations have no clue about. An Everest of “unknown unknowns” that is going to explode sooner or later.

“What is that Everest????? Tells us!!!” you demand.

“Are you sure?” I asked cautiously

“YES!!!! Please!”

“OK, the unknown unknown that I talked about is … privacy.”

(silence)

“What the hell!!!! really? Privacy? That’s what you been scaring us with? We get privacy. We have a DPO. We mitigated all the risks we identified (thanks to our beloved consultancy firm). We bought technology. We even have a privacy awareness program. OK, it’s a computer based training, but still, it’s the top of the art one! What the heck are you talking about?”

I stand firm by what I said. let me use capital letters, with a bold, to shut it out to you:

YOUR ORGANISATION HAVE NO IDEA WHAT PRIVACY IS.

If you think…

If you think that having a designated person with the title DPO which might understand privacy you’re ready for the GDPR – you’re not. If you think that because you have a work order for a privacy program you’re ready for the GDPR – you’re not. If you think that because you used automatic discovery tools to identify where your data assets are located you’re ready for the GDPR – YOU’RE NOT. As Moliere once said – a man should be allowed to speak in public for as long as he can make love. Boy, I can make love with this GDPR for hours. Let me give you one example…

CEO Classroom

As you surely know, one of the GDPR pillars is “privacy by design”. It’s this notion that when you design an information system you must take into the design process all the aspects of the GDPR. So far, so good, right? WRONG.

Let’s imagine a classroom full of kids, sorry, CEOs. Fade into classroom:

“Hey there, who can tell me who is responsible for making sure your organisation will follow the privacy by design requirements?”

One CEO was about to speak, but the person next to him noticed it, and smashed his head into the table (obviously, much more seasoned executive). He now jumps up and down on his chair: “I know!!! I know!!! I know!!! me, me, me!!!!”

(me, playing the role of the teacher): “OK dear, what would you like to say”

(the CEO, with a delight smile on his face): “It’s the DPO”

Now you understand why people don’t want to work in education, right?

“No, it is not the DPO. It’s everyone. Everyone in the organisation needs to be thinking of privacy. Everyone are responsible.”

“I was about to say everyone, but he smashed my head” (the other CEO is lifting his bleeding head from the table).

“and how were you going to do it?” (forced back into my fake tutoring position)

“we have a privacy awareness program”.

“Who exactly is running it?” (a glimpse of hope raises within me)

“a person in our privacy team is leading the effort”.

“And how did you hire him?” (high expectations raises)

“Our HR and the DPO did it. Can I get my bonus now?”

Oh, no you don’t. CEO classroom fades away.

Forgive my French

You see, privacy, like the true nature of information security, like the bigger reality, is unknown to people. It’s what the French language is for most of the people who are British. If you’re British and you learned it in School, you might be tempted to think you know it. But ask any French person, he will tell you that British people don’t get French. Michel Thomas, the master of languages explained in his French training, that in English, when you don’t understand something you say “I didn’t understand it, can you repeat” and the person will repeat the sentence he just said. In French, if you will say the same thing the French person will assume you didn’t understood him and he will re-construct a totally different sentence.

To most people in most organisations privacy is an unknown foreign language, teaching them a few catch phrases might going to help if they plan to go to a bar to get laid, but it’s not going to help them to write a novel. To develop information following the privacy by design principles is like writing a novel. You know what French people call a novel written in French by a typical British person? A waste of paper.

Awareness Rant (SANS)

Before privacy we been trying to make people act as if information security is part of their “DNA”, and we failed. Not only we failed, we become expert in our failure. Take for example the SANS Annual European Awareness Summit – its agenda is mostly useless. This year I decided to try and approach them and suggest to do a lighting talk. Hey, after all, I’ve been writing about the subject of awareness for many years, I’ve done more research into multiple approaches that most people in the field never even heard of, and I’ve already did more than a decade ago things people do today. I got … no reply.

So yes, the awareness industry been promising to make people change their behaviours and we see no evidence it works so far. How come they can do it? Perhaps because the dedicated team of people who supposed to understand what make people do things, and how you can influence them (aka “HR”) are in most organisation a human bureaucracy office, because that’s the board understanding of human nature.

You expect the human resources departments who had no clue on how lead individuals to change their information security awareness/culture to succeed in privacy awareness/culture change. Who are you fooling?

DPO

In the last few months I’ve been approached endlessly by multiple organisations to who wanted someone to lead their information security and privacy activities. HR decided I can o both. How? HR have no clue what privacy is, and I know it because they have no idea what information security is. I had to sit down in way too many telephone interviews arranged by HR, wishing I had more hair so I could tear it because the person on the line didn’t match at all the position I was wishing to fill. HR thought they fit. If privacy is like French, how can you tell that your DPO is speaking French or just talking with a fake French accent? Your organisation can’t tell, because no one in it speaks French. If you had one, he would already have been the DPO!

Same for the people whom you plan to hire to do the awareness training. Here the situation is even more complicated – you need to hire someone who speaks the French, sorry, Privacy language, AND you need to find a person who can explain this mysterious unknown thing to the people, to introduce it to them. Do you know who did such things throughout the years? Creative people. Artists.

Creativity

In a recent talk about creativity Jordan Peterson explained that our perception of reality is very different from how it was before the impressionists’ artists came along. If you don’t believe me, take a visit to an art museum near you and go to the period before impressionism. It looks completely different, and it represented the way people perceived things.

Here is Jordan Peterson: “Art is exploration, it trains people to see. Most of you regard impressionist art as both self-evidently beautiful and also as relatively traditional, because you all now see as impressionists see… the impressionists’ ascetics saturated everything. Saturated advertisements, saturated movies, it saturated everything. You now see like impressionists. They taught you to see. But back when the impressionists first showed up there were riots when their art was hung because the idea of perceiving that was so radical that it caused people to have emotional fits. Art teaches people to see and I mean that literally.”

You see, in order for you to teach others to “see” privacy you need privacy artists. Most likely, if your organisation is built upon the common corporate governance framework the chances of it being able to nourish artists, which are extremely creative people is very low. Artists don’t like structure, they always challenge it, because they see the world differently than others. It has biological roots, it is part of their personality which makes them as such. Organisations need such people, but have no idea what to do with them.

Usually it goes something like that:

“Hi, you are our new creative person? great to meet you. I heard you are passionate about expanding the horizon of our organisation on privacy, right? great” (the “great” was said in a very passive aggressive tone).

“So here is your cube, where you are required to be creative. I need you to give ma the schedule of how you plan to do it by next week. Oh, and don’t break anything. Oh, and don’t question anything. Oh, and don’t disturb anyone. Where are you going? Please stay!!!”

You might think I’m kidding, but this is a real problem most organisations experience when it comes to recruitment of creative people. Jordan Peterson explained in the talk I mentioned that creative people are the entrepreneurial type, and systems need them, but systems do not nurture creativity, because systems are the antithesis of creativity.

Solution time

The GDPR is about empowering the data subjects. As such, if you want to be sure that you will not collapse under an Everest of GDPR “unknown unknowns” you need to seek for an external provider who loves privacy, who lives privacy, who thinks privacy, who feels privacy. who dreams privacy, who speaks privacy, who is passionate about privacy, who believes in privacy, who is a champion of privacy, who understand how to make people be more aware to their privacy rights. Privacy artists.

Find such provider, speak with them, ask for their advice on how to introduce to the people in your organisation this unknown language. If you don’t, your organisation will end up one day like my work colleague, but in your case, it will be experiencing a total privacy failure, having no clue what hits it, and going via a hell it never imagined possible.

Who are the real hackers, and why most of the news about hackers are fake (snippet from my upcoming talk)…

By Eh’den Biber

Hi everyone

As you might have seen from my previous posts, I’ve been writing a long post called “the revolution”, which covers my journey into finding ways of communicating and connecting with my son, who have severe autism. I was about to post a new update to it – but then I stopped.

You see, in the last two years I’ve been planning to give a talk about the subject of substance abuse in the hackers’ community. This is a topic which has have HUGE implications for anyone who either is a hacker, working with a colleague who is a hacker, employing one, or planning to employ one. The reason the update to “the revolution” was delayed is because substances and their impact on non-ordinary states of consciousness was just too big for a written update.

And the good news is that thanks to it, I’m finally ready to give a talk on the subject. It would be lovely to share it with Peerlyst members, here in London, and will be looking for an event space for it. Also, I plan to share it in upcoming CONs because it’s probably the most interesting topic I’ve researched, and one with huge implications to many people who are reading it right now. Based on my experience, if you are reading it you’re either abuse substances or know a substance abuser. If you have an upcoming CON and wish me to talk on the subject, please contact me directly. I assure you that it’s going to be one of the most interesting talks you will have in your event.

Fake News

There is an epidemic of “hacker news” that dominates our world in an alarmingly increasing pace. It’s moving so fast that mentioning any reference here is a mistake because it will be blown away by another data breach so fast that the reference will most likely be forgotten.

The problem is that most of these news are fake.

No, I don’t mean to say that mainstream media is not reporting the truth. Well, there don’t, but that’s not what I mean. What I wanted to say is that almost in all cases where data breaches occur, the people who performed it are simply not hackers.

Most of the people you call “hackers” are not real hackers. They are individuals with specific high technical skills that allows them to perform specific activities which will be hard for non-trained people to do. We used to call that kind of people “scientists”, but since no university have a bachelor degree in “hack sciences”, not to mention master’s degree, everyone can call themselves “professor hacker” and get along with it. Don’t get me wrong – the skills a hacker requires varies greatly, the same way the skills of a doctor who practice surgery varies greatly. Amputating a leg requires knowledge but is relatively easy, same for SQL injection. However, it’s complicated to do a heart surgery, and it can be pretty darn hard to penetrate a well-fortified organization and steal information from it. Regardless of the level of expertise required, having a particular set of skills does not turns you into a true hacker. The same way being able to perform a surgery does not mean you will be able to develop a new procedure to help patients with severe issues, knowing how to penetrate into an organization does not mean you will be able to find new ways of getting root access on a system.

Let’s start with the fact that most of what you read about in the news when the word “hack/er/ers/ing” is being used are actually “crack/er/ers/ing”. As Ben Yagoda pointed out in his “The New Yorker” article entitled ‘A short history of “Hack”’, The Jargon File, a glossary for computer programmers that was launched in 1975, lists eight definitions for “hacker.” The first reads, “A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.” The following six are equally approving. The eighth, and last, is “[deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence password hacker, network hacker. The correct term for this sense is cracker.”

PS – this is how to pronounce the word “cracker”:

Some people might say that all of this terminology is just jargon wars, which aren’t important at all. I strongly disagree with that. The same way calling all Muslims “terrorists” is wrong, calling everyone who are involved with technology meddling “hackers” is bad. If you’re a policy maker and you treat all Muslims as terrorists you’re a racist. If you are in charge of threat intelligence and you think all crackers are actually hackers you are doing a horrible job in identifying your threat actors, their capabilities, and the probability of their actions within the domain you try to protect.

You see, we are not dealing with a new human trait/behavior that started in the last few decades. Hackers existed throughout human history, but until recently they weren’t called hackers, but artists. Hackers are the artists of the digital information era. Yes, real hackers are artists whose work with technology, the same way real data scientists are artists of data.

Some scientists (of all domains) are also hackers – those who seems to have an exceptional perception beyond what most scientists have. They are people who are wired differently, and their form of art is science. Most scientists are not artists, the same way most of the people you call “hackers” today are not real hackers.

REAL artists break structures, either expand them into new directions, or diminish them. As Jordan Peterson said, artists live on the edge between the known and unknown, and via their art show us the unknown. They do so via music, writing, sculpture, architecture, dance, love making, science, and “hacking”. And again – most of the “artists” are not real artists. Albert Einstein and Richard Feynman had more artistic talent than Katie Perry, Justin Bieber or most of the people you watch online will ever have.

(C) All rights reserved, 2017.

]]>http://www.senseofawareness.com/?feed=rss2&p=16710Time Capsulehttp://www.senseofawareness.com/?p=1655
http://www.senseofawareness.com/?p=1655#respondSun, 13 Aug 2017 10:01:35 +0000http://senseofawareness.com/?p=1655“Hey Eh’den, I found two hard disks of yours”. My wife and I have been struggling with water ingress issue in our son’s bedroom, and while she was taking the opportunity un-hording (also known as “throw away shit he is still keeping”) she discovered forgotten external hard disks of mine. One of them was a mini USB drive, 500GB of information which I thought I already backed up onto my 2TB hard drive.

As I was going over the endless folders and sub-sub folders I discovered a folder called “videos”. And there I discovered old videos I took of my kids when they were young.

I played the videos to my wife. She was sitting next to me in quiet, shocked. After watching few of videos she told me “Eh’den, I now understand why you refused to accept his autism. He looked so normal as a child”.

Looks so normal. Oh, how I miss my innocent Rephael, before puberty kicked in, before his body transformed into being a teenager, growing in order to prepare him to become a man, not taking into account his brain that is not fit for the world we live in. these memories from a time I still had hope I could reverse his autism.

Now Rephael is in the bath, and I am talking to him, telling him in 3 languages that all I want is to talk with him, to hear what he think, what his heart is feeling. Tears falls down from my eyes into the bath water, as Rephael looks at me with open eyes. Does he understand what I am saying? I can’t tell.

Oh, memories from long, long time ago, thank you for reminding me the journey, the music, and the silence.

Adventure into the male psyche that helps spammers make money.

By Eh’den Biber

This is the story of the spam email, the vulnerabilities it exploits, and the remediation actions required to it.

How we got here?

As was written many times in the past, the internet was never designed to be internet, it was intranet from a trust perspective – and protocols RFCs that were developed on top of it never imagined that it will run on dog collars. I kid you not.

www.linkakc.com

Modern email systems can be configured pretty effectively to block most of the spam. You want to do it not only because it’s a great way to make employees click on links that might lead them to bad places, it’s also because the sheer amount of storage these annoying things require. So technically we can and should talk about the wide list of controls that you could and should implement in order to stop major amount of shit from hitting your fan. We can talk about how to configure the bastioned email gateways in another time and on the way there you want to listen to some good advice I hereby give you Wolfgang Goerlich:

When Spammy met Harry

For this section, I will focus on the human element. Assuming a spam email managed to pass the spam filter you will assume that no person in his right mind will go to the spam folder and open emails in it, right? Well, if we did our work correctly, they shouldn’t. However, spam filters are not bullet proof, they do fail from time to time, and many people, including yours truly, had to learn it the hard way. My CISA certification got lost because I didn’t receive the notification to report CPEs on time, and when I tried to contact ISACA and ask them to update it I had to fight for months, ask for a favour from a friend who worked at the ISACA board (yes!) and even after all of that they then refused to accept my CPEs. It was not nice, and if anyone who is a member of ISACA and can help me here, I will be happy to know about it! (Dream on, baby!)

The true fact is that most people will go from time to time to check their spam emails. Actually, as the spam filters getting better and the amount of spam that pass the filters is lowered, why shouldn’t you? If you see one message sitting in your spam folder it is worth a chance to check it. The behaviour pattern that spammers are utilising is our “Dopamine Slot Machine”, which creates everything such as our addiction to our social media feed. People go to spam mailboxes. It’s an evolutionary fact, because if it wasn’t true spammers wouldn’t be reaching the required mass to operate from a financial standpoint.

And in any case, we always need to remember the statistics: idiots outnumber by a far stretch the Neil Degrasse Tyson of the population.

With that said, the scene is ready for the spam message itself.

Why it works?

The email subject is:

How does it feel to be a loved one? I wish to feel it someday.

First, a comment, and a very important one.

We assume that to feel “being loved” someone else must do it (to us), not via us loving others. The truth is that you truly feel being loved only when you love someone else unconditionally. It’s a strange thing, totally counter intuitive. As Justin from “Smarter Every Day” said about the backwards brain bicycle: “Once you have a rigid way of thinking in your head, sometimes you cannot change that, even if you want to” – it’s true in bicycles, and it’s true in our perception of love.

Back to our story: when we open the email, we see we got a message from “a girl” name Tatyana, from Russia. Not a woman – a girl. Are you adopting a child? Not, and we are not in Japan (at least up to 2014), so stop trying to look for girls!

You learn it is a smart “girl”, middle class, a doctor from Russia. Doctor to what? We have no idea. How old? We don’t know, and we don’t mind she doesn’t tell. Hint to the Casanova – if a woman trying to hit on you, and she tells you about herself and do not mention an age it’s most likely not a woman. A real woman will always tell her real age – minus a decade or two.

She mention that she’s from Bryansk. You never heard of Bryansk which make sense because many Russians don’t even know where it is. Who cares, she’s a girl, right? And she is lonely!

Then she tells you she was dreaming of meeting a stranger from another country because she saw it in films.

OK – summary: a woman who refuse to admit how old she is, who calls herself “a girl” (which means he has severe maturity problems), and who is dreaming to meet someone from another culture, think that’s it is going to work because we all know Hollywood makes ONLY documentaries. Right? And until now not even a sign of alarm to you? Don’t you even think “how the heck she found me?”, or question the fact the email comes from Poland, but how could you tell if you never took the time to learn domain suffix meaning?

Great, let’s continue! Then she tells you she found a website “where thousands of young women like me had registered and found the love of their life”.

HOLD ON.

So, she tells you that there is this website in which you might find even MORE desperate women who might even be able to ignore your behaviour patterns that destroyed all your previous pathetic attempts to establish a connection with a female partner? Someone who could live with your inability to show your emotions because she is a strong Russian woman who never smiles, exactly like your mother? Could it be that her city is near a nuclear and chemical waste facility, which will make her immune to the smell of your farts, and to cherish the dirt in your apartment that manage to scare away even the cockroaches?

You’re getting excited! You think to yourself “Could it be that you found a woman as desperate as you are to feel a human touch? Could it be true?”, you ask yourself. Then she tells you: Just click below, go to the website and find me there.

“The force is with me!” you say to yourself, out loud, waving your imaginary light sword.

STOP.

Sunny boy, let me give you a small advice about women, a subject I see you might have little if any experience with. Women don’t share their man, and will shut down competition faster than you can blink. If there was a first-person shooter in which a woman hero is going on a journey to eliminate all the threats she has from other woman that might be stealing her man from her, women would have been dominating the game. If there ever be such a game, any women, even fully drunk will be able to kick your ass. Women would butcher every bitch that would come within a mile their man, if they feel there is a danger to their relationship.

The fact that you believe that a single woman will just share a website that will have thousands of other women that can compete with her on your heart is simply sad brother, so sad.

Please don’t click… please… ohh too late.

Afterthought

So yes, this is how man fall for such spam emails. And before my beloved sisters will feel they are better – oh, you’re so at risk as well. I personally know enough women who will click on a link to a fake sales site faster than men will click on links to porn sites.

Spam works because most human beings are lost in their mind. In different degrees, in different ways – but lost. Our unwillingness to admit it is in the heart of our information security problems.

And because we are all so tired to be alone.

Remember – security is a perception. The bigger the gap between perception and reality, the bigger the risk you are in. The solution is simpler than most people can think of, and it brings us back to the beginning of the story: until you practice giving unconditional love you are vulnerable.

Namaste

Eh’den

]]>http://www.senseofawareness.com/?feed=rss2&p=16350Cyber Autismhttp://www.senseofawareness.com/?p=1629
http://www.senseofawareness.com/?p=1629#respondThu, 22 Jun 2017 11:49:21 +0000http://senseofawareness.com/?p=1629The introduction part of a talk entitled “Cybersecurity Risk Masterclass 101” which I gave on the 20th of June, 2017, during the CyberSecurity Talks & Networking event in London.

]]>http://www.senseofawareness.com/?feed=rss2&p=16290The Revolutionhttp://www.senseofawareness.com/?p=1608
http://www.senseofawareness.com/?p=1608#commentsSun, 14 May 2017 20:10:02 +0000http://senseofawareness.com/?p=1608How I became part of an invisible hacking revolution.

By Eh’den Biber

Remark – In contrary to my other writings (e.g. “making privacy great again”), this is going to be an evolving story. It means that I will be continuously updating it. Also, I plan to record it as a podcast so you could listen to it rather than read it.

Prologue – Long drive

13 years ago, when my youngest son Rephael was three and half years old, my ex-wife and I arrived to a Belgian hospital to hear the diagnostic of his condition. After months of observations and tests the result came in, and even though I remember everything that was said, looking back I realise that at that time I had no ability to grasp their meaning: “Your son has severe autism. It will never go away, it will not improve. You will never be able to communicate with him, you will never be able to send him to a normal school. Your son will never be able to be independent, your son will need to be in a mental institute when he will grow up.”

We had three beautiful kids, two of them, his older brother and sister were “normal”. How can you, as a parent, even imagine what it would be like to have a “non-normal” child?

Driving back home that day was the hardest drive home I ever had. My ex-wife was crying, shouting in pain, as the news were opening the scares of losing our second son, and the death of our third child, our daughter. While she was collapsing, something strange happened within me. I felt a strange state of calmness, and I heard myself saying “We will be OK; I will find a way to heal Rephael”. I didn’t say it out loud, but in my heart I made the oath that I will never stop, will never rest, and will never accept Rephael condition, that I will do everything I can to find a cure to it.

The same way I didn’t know what it means to raise a child with severe disabilities, I had no idea that my promise to our son will lead me to be part of a revolution.

Welcome to the revolution.

Introduction

There is a hacking revolution that is taking place right now, and most people have no idea about it. The economy that fuel this revolution is bigger than the GDP of India or Russia, and involves wall street traders, Silicon Valley executives, special ops, scientists, hippies, and seemingly innocent individuals across the world. It is driven by the vast array of technologies, some of them are illegal, few of which are extremely dangerous. Governments are aware of these technologies, some have experimented with them. Cultures around the world are afraid of them, and tried their best to condition us from using them, yet the internet made these technologies and the revolution they fuel to be almost unstoppable.

What you are about to read is highly important for you whether you’re a CEO or a normal employee, living alone or a parent of kids, religious or atheist. At this moment of time, when computing power and artificial intelligence is taking over many of what we humans used to do, the decision you will make whether or not to join the revolution will determine if you will evolve or dissolve.

This is the story of the biggest hacking community that exists on this planet, a community of people who invest huge amount of resources to try and reach beyond their own imagination. This is my story, and the story of the communities I met along the way. This is your story, whether you like it or not, because a failure of this revolution will most likely mean the end of our specie.

Stealing Fire

The revolution I was talking about is centred around what science calls non-ordinary states of consciousness. Comment – scientists should really use a PR agency if they want their work subject to become a meme.

In February this year a new book came out to describe the revolution. “Stealing fire”, written by Steven Kotler and Jamie Wheal, is the first book that tries to cover the revolution from a macro view, rather than focusing on different elements of it. The full name of the book is “Stealing Fire: How Silicon Valley, the Navy SEALs, and Maverick Scientists Are Revolutionizing the Way We Live and Work”, and here is the description of the book in Amazon:

It’s the biggest revolution you’ve never heard of, and it’s hiding in plain sight. Over the past decade, Silicon Valley executives like Eric Schmidt and Elon Musk, Special Operators like the Navy SEALs and the Green Berets, and maverick scientists like Sasha Shulgin and Amy Cuddy have turned everything we thought we knew about high performance upside down. Instead of grit, better habits, or 10,000 hours, these trailblazers have found a surprising short cut. They’re harnessing rare and controversial states of consciousness to solve critical challenges and outperform the competition.

New York Times bestselling author Steven Kotler and high performance expert Jamie Wheal spent four years investigating the leading edges of this revolution—from the home of SEAL Team Six to the Googleplex, the Burning Man festival, Richard Branson’s Necker Island, Red Bull’s training center, Nike’s innovation team, and the United Nations’ Headquarters. And what they learned was stunning: In their own ways, with differing languages, techniques, and applications, every one of these groups has been quietly seeking the same thing: the boost in information and inspiration that altered states provide.

Today, this revolution is spreading to the mainstream, fuelling a trillion-dollar underground economy and forcing us to rethink how we can all lead richer, more productive, more satisfying lives. Driven by four accelerating forces—psychology, neurobiology, technology and pharmacology—we are gaining access to and insights about some of the most contested and misunderstood terrain in history. Stealing Fire is a provocative examination of what’s actually possible; a guidebook for anyone who wants to radically upgrade their life.

Here is a five minutes summary by one of the authors, Steven Kotler:

Which bring me back to my story…

The Guinee Pig

At that day in the hospital when my ex-wife and I were given Rephael’s diagnostic I’ve already been reading everything I could about autism. What I saw stressed and scared me, because science didn’t know what causes it, or how to treat it. The doctors at the hospital suggested that we will put our son in specialised schools, and we did. However, the school approach was focused on behaviour change, and frankly I didn’t like the results. To me it felt that they are putting their emphasis on programming my son to respond correctly to a stimulus, but not develop him beyond that. It was clear to me that in order to help Rephael I must find another way. But what?

I decided to be a Guinee pig.

You see, I had a great hypothesis: If I will find a way to be free from my mind, from my “normal state of consciousness”, and if I can repeat the experiment on myself multiple times, then perhaps I could work with Rephael so he will have that experience, and help him to be free from his autistic state of consciousness. Rephael frustration from his condition was not foreign to me – like him, I had a complex relationship with the thing I called “my mind”. It always felt to me that it runs faster than my conscious state can handle, it made living with it an exhausting task to me and to the people around me. I remember one time that a project manager told me “Please realise, I know that you see things we don’t, but you must help us understand what you see so we can also see it”. My problem was that many times I was unable to see the solutions as well – I felt there is something there, and it took a lot of effort and frustration to be able to form it in a way I can explain to myself and others. All my life I hoped I could have a different state of consciousness, a state of clarity. If I can find that, and if I can help Rephael have that experience, then we can both meet in that place of clarity. I promised myself that I will try anything to reach that state, regardless whether if these experiences will be considered as OK by my ex-wife, my friends, or whether or not these experiments will fall within the given constraints of society, country, or culture.

I stated saying yes to everything and I mean everything: neuro-feedback, brainwave entrainment, diverse array of sexual practices, pharmacological intervention, medicinal plants, ritual dancing, ritual breathing, electromagnetic pulses, meditation, severe physical pain workshop, and poisonous substances – the list goes on and on. As you’re about to discover, like all revolutions this has a list of casualties. I was extremely lucky that I was not part of that list, that I reached a safe haven – but I’m getting ahead of myself.

Let’s light the fire…

Ecstasis

And we’re back to “stealing fire”. The first part of the book talks about ecstasis, which is the Greek term of “to be or stand outside oneself, a removal to elsewhere”. Here is Jason Silva describing the notion of having what was called in the past a mystical experience, description of the deepest state of estatsis one can have:

Lost in the Rain

I was alone, in a moonless winter night, and to make it worse it just started to rain. The bus I took dropped me in the middle of nowhere, and I wasn’t sure at all that I got down at the right station because the bus driver didn’t speak English, and my darn phone battery died half way through the journey. I was carrying a huge backpack, I was sad, tired, and more lost inside than I was outside. The last few years of trying to break the silence of Rephael’s autism were unsuccessful. The more I tried, the more I realised that before I can think of healing my son I must face my own demons, but I had no clue how to do it. At some point during a cold winter I broke down and gave up. I’ve contacted a South American friend, who introduced me to a shaman she knew, and I decided to leave everything and move to the Amazon jungle. I was ready to join the shaman – and then it was cancelled, which left me really angry, with nowhere to go, and no hope. At that point, I discovered that a sacred ceremony was taking place near where I was. I packed myself up and travelled for hours until I discovered I’m lost again. Suddenly, out of nowhere I saw a flashlight. Another person with a backpack bigger than mine and a guitar approached me. “you’re going to the ceremony?” he asked me. “Yes”, I said, “but I have no idea where I am”. “It’s OK, follow me” he said, and I did. What I was about to experience was something that will forever remember – I was about to have a profound non-ordinary state of consciousness, my first mystical experience.

The Sacred Four

There are many events around the world that are trying to bring you to this state. None of them are as known as Burning Man, a yearly gathering of people who celebrate ecstasis in extreme conditions. In stealing fire Steven and Jamie expand the importance of the event, and describe how the two founders of Google had an inner feeling that Eric Schmidt is the right person to lead google when they heard he already participated in Burning Man.

There are many events across the world which celebrate this spirit of merging into the group, but for many years they were considered by most people as “too crazy”. Take London for example, most corporations in the capital likes to involve their employees in mass sports events such as marathons, physical endurance, or events dedicated for big charities. Events which lead the participants to dissolve their ego and merge in an uncontrollable way are as popular to the corporate world as a visit from the regulator.

In their essence, the Non-ordinary states of consciousness which are at the heart of the ecstasis state are characterised by the following four pillars:

Selflessness

Timelessness

Effortlessness; and

Richness

Why would navy SEAL warriors want to be in such state? Because it seems that this state is the most optimal state. It’s true not only for a team of man who are required to act as one while trying to capture a terrorist, it is true also for people who need to lead the most advanced technological organisations such as google. As Steven Kotler said in the interview I’ve mentioned before, “Most of the key skills, especially so-called 21st century skills, things range from creative problem solving, high-speed decision making, cooperation, collaboration – these are all the things we need to thrive in the 21st century – and we suck at. We really bad at them… we actually suck at training people at creative thinking. We have no idea how to do it, and the reason is, … we trying to upscale skills, while what we really need to be doing is training up states of minds”

Perhaps what’s so surprising to many is the fact that these special states are marked by quieting down of circuits that are extremely busy during our “normal” state of consciousness. In fact, Duke University psychologist Mark Leary wrote about our “normal” state and describe it as the one which “…is single-handedly responsible for many, if not most of the problems that human beings face as individuals and as a species … [and] conjures up a great deal of personal suffering in the form of depression, anxiety, anger, jealousy, and other negative emotions.” (the curse of the self)

All of the above raises the question – if that new state is so special and great to us, why don’t we all do it? The answer to that rely on our social contract, or as the authors calls it, our fear of being “beyond the pale”.

Frederick

“Do you speak English?” the man who entered the computer store I was managing asked me. “Sure”, I said. “Can you please take a look at my laptop? I have a critical application I must use and it doesn’t seem to work”. I’ve said “Of course”, asked one of my employees to take over, and disappeared to our small lab. After 10 minutes I came back, handing him back his computer, telling him “It’s working now”. He smiled and said “Great! how much do I owe you?”, to which I replied “nothing”. The man looked at me surprised. “Really? Are you sure?”. I smiled back to his surprise and said “Yes. I didn’t have to replace anything, it was a configuration issue, so no charge”. “wow, that is great! My name is Frederick, I’m a diplomat how work here. Can you tell me what you did?”. Fredrick and I started talking, me in my not-so-great-English at that time, and he with perfect English and a beautiful south American accent. In a short while we both laughing and talking so loud other people in the store started to stare at us. I was in my early 20s, working like crazy to try and sustain my new family; he was a foreign diplomat, with a lovely wife and family and endless friends. Soon Frederick became one of the only two true friends I had in the world. He was a person I could share everything with, He was smart, wise, with a curiosity of a little boy and deep passion to life. Time passed, Frederick had to leave due to his role which took him across the globe, and in the last 10 years I lost track of him. Last week I felt an inner call to find him, to share with him this story. I felt that I really miss him. I tried on Facebook and couldn’t find anything. I tried to google and see where he is posted now as a diplomat, but couldn’t find anything. After few minutes of search I was shocked to find out that I will never be able to share with him my story, because he had passed away in 2014, at the age of 59.

Frederick – you were to me the older brother I never had. You inspired me, you supported me, you accepted me, you loved me. I feel you here right now, I hear your voice and your wonderful accent, I see you smiling, I feel your spirit. Bless you, my brother, and thank you. I was so blessed to be part of your life, part of your heart. I missed you, but now I found you, and we are here now once more, as you will forever be.

Mad Intelligence

“Man, you’re crazy. As your friend, PLEASE promise me not to tell anyone about this at work. You’re CRAZY!!!”.

We were sitting in a pub, and my work colleague was looking at me in a total disbelief. I just shared with one of my past experiences, and it was too much for him. He was in a good company – when my wife and I met for the first time, I told her about some of my journey and afterwards she told me “I remember sitting there, thinking to myself that I have hit rock bottom, that I’m now on a date with this crazy dude who is doing a lot of drugs and is a member of a cult and a sex maniac”. None of these were truth of course, but the cultural lens we all wear defines our reaction to other’s life experiences.

During my personal journey, I’ve met people who came to experience non-normal state of consciousness from all across the globe and societies. I’ve met Jews, Buddhists, Muslims, Atheists, Christians, and any time of faith or non-faith you can think about. I’ve met scientists who work in the academia and hippies who home-school their kids. I’ve met people with all sexual orientations, from people who practices celibacy via to people who practiced group sexual experiences. I’ve met people who had deep personal experience into mind altering chemicals and people who don’t even drink coffee. When I look back, perhaps the only common thread that united all these people is the fact that they did so either in hiding or did their best not to draw too much attention to their actions.

For a good reason.

Steven and Jamie introduced in the book a term rarely used these days, called “beyond the pale”. When England invaded Ireland in the 12th century they created a large barrier which they called “the English Pale”, which acted as a border. Anyone who either left the area or came back from it were to be question for their motives, and if you remember the way questioning was done in the middle ages I think you will agree with me it wasn’t a nice thing to experience.

In this chapter, the authors described the different society forces that treat people who go beyond what the group consider as “legit” with fear and suspicion. The mention our perception via the prism of religion and faith systems, via the prism of suspicious to technology, and the state. After all, history is filled with ecstatic explorations which ended up really bad. We will talk about this in great length at a later stage.

What we considered to be a “normative” experience and what is consider to be beyond that is a culture story. Here are few examples:

Being gay in a religious society and you might be in real danger of losing your life depending on the environment.

Bring up a theory that is beyond the set of theories scientists see as “correct” have a real chance of being labelled as a pseudo-scientist. Rupert Sheldrake had been suffering most of his career due to that, he even wrote a book about it called “The Science Delusion”.

“The whole problem with the world is that fools and fanatics are always so certain of themselves, and wiser people so full of doubts” (Bertrand Russell)

As we move away from what we perceive as a normal state of consciousness, the journey sometimes leaves us grasping for cultural narrative that we can use to express what we felt. It’s a very strange thing to hack your consciousness because it expands you beyond anything you ever had experienced. Imagine you are colour blind, and that one day you experienced colour for the first time. If you grew in a society that everyone around you had never experienced colour, you will have no words to describe what you just had. Societies are optimised around certain set of ideas that define what is normal and what is not, and due to our human biases and our blindness to it one can be manipulated into thinking we can define what is sane and what is insane.

So first tip to anyone who want to join the revolution – embrace your madness, because where you’re about to go and what you are about to experience will look to your normal state of consciousness as some sort of either magic, divine, or madness.

“This is a time for awakening, …this is a time to wake up out of the madness, because the history of humanity is the history of insanity. But for the first time in the history of this insanity the insanity threating to destroy us. Mad intelligence, that’s what humans have developed. You can call it “cleverness”. We’re all clever, but mad, mad intelligence… We’re coming to the end of this one way or another. Either we destroy ourselves, or we wake up out of that dream, the nightmare… To see your own madness is the beginning healing insanity, because there is in every human being not only the madness but also sanity… It is liberating to say ‘we are mad!… mad… I am mad…but I realised that I’m mad!” (Eckhart Tolle, “1 Giant Leap”)

Time Capsule

“Hey Eh’den, I found two hard disks of yours”. My wife and I have been struggling with water ingress issue in our son’s bedroom, and while she was taking the opportunity un-hording (also known as “throw away shit he is still keeping”) she discovered forgotten external hard disks of mine. One of them was a mini USB drive, 500GB of information which I thought I already backed up onto my 2TB hard drive.

As I was going over the endless folders and sub-sub folders I discovered a folder called “videos”. And there I discovered old videos I took of my kids when they were young.

I played the videos to my wife. She was sitting next to me in quiet, shocked. After watching few of videos she told me “Eh’den, I now understand why you refused to accept his autism. He looked so normal as a child”.

Looks so normal. Oh, how I miss my innocent Rephael, before puberty kicked in, before his body transformed into being a teenager, growing in order to prepare him to become a man, not taking into account his brain that is not fit for the world we live in. these memories from a time I still had hope I could reverse his autism.

Now Rephael is in the bath, and I am talking to him, telling him in 3 languages that all I want is to talk with him, to hear what he think, what his heart is feeling. Tears falls down from my eyes into the bath water, as Rephael looks at me with open eyes. Does he understand what I am saying? I can’t tell.

Oh, memories from long, long time ago, thank you for reminding me the journey, the music, and the silence.

Eh’den

[TO BE CONTINUED… REALLY SOON]

(C) All rights reserved, 2017.

]]>http://www.senseofawareness.com/?feed=rss2&p=16081Making Privacy Great Again (?) – The Blackphone Story – Part 4 – There’s a Snake in My Boothttp://www.senseofawareness.com/?p=1582
http://www.senseofawareness.com/?p=1582#respondThu, 27 Apr 2017 00:10:28 +0000http://senseofawareness.com/?p=1582Blackphone as an allegory to why the bad guys are winning, a step-by-step guide to unlocking your device, and to whom you should say “you’re welcome!”.

By Eh’den Biber

First of all, my apologies for the delay in writing. It was totally unintended, but life, as you all know, have a comic view of our perception that we are in control of it. We are funny.

So, back to the Blackphone. I must admit that I’m surprised with what I learned. It’s so true that until we experience something as a personal experience knowing about facts that are related to that experience are meaningless. A total colour-blindness, non-ability to grasp the vast spectrum of radiation most of us can do naturally.

But before we begin with the boot story, let me just highlight a surprising point – if you wanted a proof that no one cares about security, INCLUDING security people, take a look at the vast security reviews that were performed so far on the phone. I know, nothing out there.

I mean, if I can buy two units of the phone, I’m sure security researchers would have been able to do so. This was the first true attempt to provide a phone which will be secure AND not locked like the apple products are. I took the time to review it, but real businesses seem to had no interest whatsoever in it, hence the financial situation that followed the release of the phone. This is REALY BAD because do you know who did buy the phone? State actors and cyber criminals, what we call “bad guys” these people did it because they are trying to find weakness points, and we who are their target act like spoiled fat rich people who were born to a wealthy father and who think that our perception of reality is the greatest. #MakeAmericaGreatAgain.

We, who live in democracies are supposed to have an impact on our future, but at the end of the day the market is what counts. Take for example Google, the company who know about mother’s children more than they do, a company that in its IPO wrote the following words:

“We encourage our employees, in addition to their regular projects, to spend 20% of their time working on what they think will most benefit Google,” they wrote. “This empowers them to be more creative and innovative. Many of our significant advances have happened in this manner.”

Business insider wrote a piece on it two years ago. Seems that the 20% were 150% (normal Google hours) + 20%. The point is that there is a HUGE gap between what we need to do in order to be ahead of the cyber-gap, and what our organisation is allowing us to do which is to reach targets, and anything beyond it is considered as “extra”. Total lack of understanding to the nature of evolution.

OK, enough about politics.

The android edition behind the Blackphone 2 is called “Silent OS”, which is supposed to be a more secure variant of the android code, but like all Android devices it is heavily dependent on the boot process. If you are unfamiliar with that concept, when you start your mobile phone it first boots up a basic set of commands which allows it to load what is called in the android world aboot. Think of the aboot as your computer BIOS. Linux and android people, don’t kill me, I’m trying to use language that is understood to people who have been exposed to the PC universe. You know, the ones my kids call “Old people” (me included). At this point the aboot is loading the kernel, initialise hardware and allows you to run the operating system. Whatever runs between the time you start your machine and until you get a prompt is similar to what is happening in all other OS, and the boot is what makes it all happen.

So, let’s talk about the boot, and the security around it. The people in google didn’t planned a bad OS. They tried to do best practices, such as allowing only the deployment of signed code into specific elements that are trusted. In the normal situation, you should only be allowed to program/write to a partition of an android device with elements that either been signed with a key it recognises or were instructed to install elements with a code that’s been signed. Why? Because at this level you are controlling a lot of the hardware elements of your phone, and while most people don’t think about it their mobile phone has to do a lot of things and consider a lot of elements and to do a lot of things that it had been programmed into doing. Such as changing the rate of charging your battery for example. It means that someone can write a malicious code that will allow me to play around with the charging of the system. Best case scenario for such a code is to cause your battery to lose the capability to charge. Worst case? Think about a lithium battery that is overheated and you get the answer – a mini bomb, or as Samsung called it – “Note”. This is why unlocking a device means voiding your warranty. We would like to think it’s because of security, but that’s only our delusion.

Now if you are smart you know that you can most likely prevent such thing from happening by either engraving it in your hardware, but unless you are apple it is extremely hard to control your production line. See what happened to Samsung and remember the antenna problems iPhone at some point had. In any case, the whole idea behind the android OS is to allow anyone to use the code so that google will be able to spy, sorry, gather information people voluntarily agreed into giving.

This means that if you want to do any changes to different elements you must first perform an OEM unlocking, which allows you to flash some elements such as the recovery and the boot. There are endless guides to do so, but in case you want to express guide here it is:

Start the device

Go into settings, then “about phone”

Scroll down to “build number” and click on it multiple times until you are being given access to what is known as “developer options”. Get out of the “about phone” sub-menu and enter the developer options menu

If you’re lucky your phone manufacturer allows you to do so just by moving a switch. Enable unlocking.

After enabling the possibility of OEM unlocking, the next step is to perform a real unlock. To do so, you must download a piece of software from google that allows you to perform it. It’s called “platform-tools-latest-windows.zip”. Extract the files to a directory and get a command line in it.

Time to shut down the phone – use normal shut down but make sure it is not connected to a charger or a computer.

Now you need to put the phone in fastboot mode, which is achieved by pressing the volume down and while it being pressed press the power button. When the screen shows you “android” you can leave the keys and connect your phone to the computer.

In the case of windows 10, no drivers are required to be manually installed, but most likely there are downloaded. In some other OS, you might need to install manually the drivers.

type “fastboot devices” and you should see your device serial number.

To unlock at this stage, you need to write the following command: “fastboot unlock oem-go”. This will result in a loss of your data while the phone will go into a factory reset process. In most cases the aboot partition will be altered and from this moment on you will not be able to lock back your device.

Oh, by the way, congratulations, you just lost your warranty, time to watch a video of a sad kitty cat.

Sadness is over, let’s go back to business.

The reason we unlocked the bootloader is because by doing so it allows you to “flash” (or program) the boot and the recovery images without the system validating the certificate that signed the code (if any). You can also do other elements such as write and update your wifi and WLAN modem firmware. And totally mess up your phone in a way it will never wake up.

The boot and recovery images that were available on the internet when I bought it were of version 3.0.7of the SilentOS – the last OS update before Silent Circle started to lure grey market devices owners to turn their devices into a demo unit. The boot images and the recovery images are usually compressed and there are multiple ways of unpacking them. I’ve used a tool called Carliv Image Kitchen to perform the task.

You remember the recovery partition? Now this lovely partition can be populated with a custom recovery image, also known as TWRP. This custom recovery allows you to perform extended activities such as backup of your device, file access to your system, installation of root (YES) and many more which you will soon find out. The good news was that there was a TWRP for the blackphone 2, the bad news (for me) was that my device didn’t really worked with it, and it booted up with a blank screen. When connected to my computer I was able to see it is working but was unable to enable the screen. To solve this problem, I tried to find a way to unpack and change the TWRP recovery image so it will work. The boot images and the recovery images are usually compressed and there are multiple ways of unpacking them. I’ve used a tool called Carliv Image Kitchen to perform the task. If you remember, I already had a device which seems to be using very similar hardware (the M5.5), so I’ve used the TWRP recovery image of this device, replaced the kernel with the Blackphone 2 kernel, and it was almost perfect. Now when I booted the device into the recovery mode TWRP was working.

Next thing was to root. I must admit that when I got the device it was not working with the most common root solution, a product called SuperSU by chainfire, which didn’t work. Luckily for me, there were other solutions, one of which is Magisk. Magisk is a systemless root solution. OK, let me explain what that means.

In the past, Google sort-of-allowed root solutions to live happily ever after on the system partition. This is not the case anymore, which led developers to load the root related files during the boot process. To do so, the systemless installer is patching the boot partition by inserting the required executables and assigning the right permissions to it before the system partition is being loaded.

So… that’s the easy part. To install the Magisk root you need to:

boot into recovery

press install

scroll to the external sd card where you stored the magisk.zip file

select; and

install

That’s it. You’re almost there. When you will start your Blackphone it will scream at you that it detected an active root, so don’t forget to say to the OS … “you welcome”.

The much, MUCH more interesting part for me was to try to figure out the boot process with reading about it as little as possible. I was taking the M5.5 boot partition as well as other phones, and using a program called winmerge I compared the loading scripts of the two phones, which again, had almost identical hardware.

The most interesting element I found is the fact that the way the Blackphone was using the mobile and wifi modem code were very different than other phones. Normally, there are bunch of services that are being loaded during the boot process, and that are related to the mobile chipset provider (in this case, Qualcomm). Not in the Blackphone, the Blackphone seems to be delaying the whole process to a later stage, most likely to provide its CIDS, what Silent Circle calls “Cellular Intrusion Detection System”. As mentioned before, there is another element which I’m not sure how Silent Circle handled and that’s the extensive rights the modem firmware usually have. It’s hard to know, and frankly, this should have been answered in a CON by a person who was requested to perform an analysis of the phone.

I think I will stop now. I wish to share with you some very practical advice on what you can do in order to be secure, and all of you can achieve it with an unlocked device and a little bit of root. Also, in the next post I will defend the right to root and why having a rooted device does not mean automatically that it is less secure than a non-rooted device.

(This is part 3 in a series of articles I’m publishing about my investigation into the security of the Silent Circle Blackphone 2. I case you missed them, I invite you to read part 1 and part 2)…

Now that I have received the Blackphone 2 I was facing a dilemma – what would be the best way to investigate it? To answer that, I decided to ask myself what would Matt Demon do if he was me.

To explain what the heck I mean by that, I wish to introduce to you a remarkable educator (and a real Mensch) called Dr. Nancy Carlsson-Paige. She is a professor Emerita at Lesley University where she taught teachers for more than 30 years and was a founder of the University’s Center for Peaceable Schools, but to many she is known because of her son, Matt Damon. A few years ago, I’ve been in contact with Dr. Carlsson-Paige because of my son’s Autism, and I’m extremely full of gratitude for her words and advice. I encourage you to read her book “Taking Back Childhood: A Proven Road Map for Raising Confident, Creative, Compassionate Kids”, it is a masterpiece.

Anyway, back to Matt. Four years ago, Dr. Carlsson-Paige gave a TED talk in which she described how many years ago she managed to put her place on fire, and how Matt (who was five years old at the time) run out of the room, and how he run back wearing his red corduroy bathrobe, his black lashes, a fire-fighter hat, a divers mask, and a little rubber tube which he used to play as if he is spraying water on the fire. He was playing.

Let me share with you what Dr. Carlsson-Paige said about child learning:

Fantasy and reality in the minds of young kids are not separate worlds the way they are for us, they are very intertwined, they’re very in mesh. All children know how to play. Playing is as natural to kids as walking and talking, and it’s just as essential to their healthy growth. Play is the root of learning for kids. For little kids, process is really what matters, they don’t cling to products. when a child is being taught that this “4” means four, he learns that this is a name, but this does not mean the child understand the concept of it. We can have four tires, four pennies, four elephants, and those groups of four things looks incredibly different. In order to understand that they are all four we have to abstract the idea of four out of the group of things and think about the “four-ness” they have in common. That’s a very complicated idea and it takes a child many years to figure it out. The name of the number and the concept of then number are not the same thing. You can direct teach the name of the number easily. You can sit the kids down and teach them “that’s 4, that’s 5, that’s 6.” It’s simple – you just show them the symbol and teach them the name, but for them to understand the concept of 4, that’s something they have to build over time, that they have to build in their own mind. It’s a kind of understanding that have to develop in the mind as a result of experience and activity and interaction. It’s not something that can be directly taught. It’s much more complicated than the simple naming of the number, and children can name the number without understanding the concept because they are two different activities.

And now, I will quote and paraphrase Dr. Carlsson-Paige words so they will adjust to our topic of educating security:

The difference between understanding concepts and reciting facts is very important for us to understand right now, because it captures the essence of what is happening in education today. There is a gross misunderstanding of what education is, that had swept across the country, and the unfortunate belief is that you can direct teach, and you can measure and you can quantify learning. But the truth is it’s only the most superficial and most mechanical aspects of learning that can be reduced to numbers… the only way that you can get people to all learn the same thing at the same time is to sit them down and pour in or stuff in the information into their heads, whether they’re ready to learn it or not. All the power of the learning experience … the initiative, the creativity, the fact one can define and solve their own problem, original thinking, the ability to invent new idea, perseverance, cooperation and working together on a common project – all these amazing capacities are cut out when we drill and grill. When we take the natural and powerful capabilities that people have out of the education equation we take the love out of learning, we take the joy out of learning. We have a dramatic disappearance of play, both kinds of play – the make belief play and the hands-on play with materials, especially in the poorest communities, because education depends on funding. I wish you could see the faces I see when I witness people who are being forced to follow education activities. A lot of people look confused, they look tuned out, some of them look scared, some are sad or crying, many of them have already learned a sense of failure. Because when you have right answers and wrong answers, when there is only one way to solve a problem then you get it right or wrong and you’re a winner or you’re a looser. I feel a lot of anguish for those I see. They try so hard to adapt themselves to the unfit approaches that are being used today. They REALLY try to learn the information that the instructor tells them they’re supposed to know. But their spirit retreats. CEOs love to say that “our employees are our greatest and most valuable resource”, but the resources are inside of them, and what we have to do is to figure out how do we create an education system that nurtures and develops and builds on to the magnificent capacities that human beings bring to when they play.

And this brought me back to 2011. In 2011, the legend which is also known by the name of Dan Kaminsky came to Brucon and gave what is probably one the best presentations I’ve seen on Bitcoin. I remember his talk because he started by saying “the purpose of this talk is to play with toys”. Here is a link to a video of the same talk he gave in the 2011 Chaos Communication Congress due to higher quality:

So yes, the easiest way to solve my problems were to try to see what others have done before, and there are multiple sites that share information, most notably are the XDA Developers forums. However, I wanted to try and see if limiting the exposure to “names” and having as much as possible “hands on” experience will work. For example, instead of sitting down reading a book or watching a YouTube video on the whole boot process I decided to see if I can figure out the process by myself with as little as possible prior knowledge. Or, in other words – I decided to play like a child do, to learn by failure without even realising it is failure. I decided to pretend I’m Mr robot, and started my imaginary adventure to hack my new toy. See See you in part 4, where I will share with how easy it was to hack the phone… or not…